Security of Home Assistant


As Home Assistant is like every other service or daemon that is running on a computer system that allows access over a network connection, certain measurement were taken to increase the overall security while still staying operational.

Secure your installation once you’ve finished with the installation process regardless of your use case.

Home Assistant is NOT able to change the configuration of your router or firewall. This means that you need to setup port-forwarding and adjusting firewall rules if you want to allow access from the internet. By default your frontend and your Hass.io add-ons like Mosquitto, SSH and your Samba shares are only accessible from your local network.

Server banner

Further details about the fingerprint/server banner of a Home Assistant instance are available.

Porosity

The default port of Home Assistant is 8123. This is the port where the frontend and the API is served. Both are depending on the http component which contains the capability to adjust the settings like server_host or server_port.

See the open ports of a Hass.io instance with various add-ons.

HTTP SSL/TLS

Home Assistant is following the Mozilla’s Operations Security team recommendations for Server side SSL/TLS settings. To allow the users to access Home Assistant with most devices the target is Intermediate compatibility.

SSH

The SSH connection for debugging on port 22222 is not enabled by default and can only be used with keys.

Is SSH used with the SSH server add-on then the user is responsible for the configuration and security.

Source code

Due to the lack of resources we are not able to review all of our dependencies and inspect them for malicious behavior, leakage of information or compliance with GDPR. But we have a keen interest in the development of our dependencies are try to work closely with the upstream developer.